2. DFA on AES, how hard is that?
• 2003 Gilles Piret and Jean-Jacques Quisquater 2 faults
• 2013 Christophe Giraud and Adrian Thillard 1 fault
• 2013 Riscure up to 50 faults
Is Riscure stupid?
2
3. Outline
• How does single fault DFA on AES work?
• What’s wrong with single fault DFA?
• So, how does Riscure do DFA?
• Demo
3
5. Finding the fault value
• Fault in specific byte propagates to 4 output bytes
• Each fault pair of correct and faulty output bytes halves the
number of values for the random fault
Out0 on fault Out7 on fault Out10 on fault Out13 on fault Outall on fault
Group of 4 affected output bytes reduces
possible fault values in known byte to about 15
6. Finding the key value
• A specific fault value matches with
two key values
• Group key space
reduced from
32 bits to ~8 bits
Mapping
Fault
value
Key
value
2 * 2 * 2 * 2 +
2 * 2 * 2 * 2 +
2 * 2 * 2 * 2 +
2 * 2 * 2 * 2 +
2 * 2 * 2 * 2 +
2 * 2 * 2 * 2 +
2 * 2 * 2 * 2 +
2 * 2 * 2 * 2 +
2 * 2 * 2 * 2 +
2 * 2 * 2 * 2 +
2 * 2 * 2 * 2 +
2 * 2 * 2 * 2 +
2 * 2 * 2 * 2 +
2 * 2 * 2 * 2 +
2 * 2 * 2 * 2 = 240
4 faults can break the key
• 4 x 32 reduced to 4 x 8 bits
• Remaining entropy is 32 bits
• Can be brute forced
K0 K10 K13K7
7. One fault catches all
• Inject fault before in round 8
Fault randomly changes chosen byte
• MixColumn propagates fault in
column
• ShiftRow propagates fault to 4 cells
• MixColumn propagates 4 faults in
4 columns
• ShiftRow propagates 4 faults to
16 cells, exposing 16 key bytes
• So, one correct + fault pair
+ 32 bit brute force reveals 128 bit key! 7
AddKey
Substitute
ShiftRow
AddKey
Output
Substitute
ShiftRow
MixColumn
Fault
9th round
10th round
MixColumn
ShiftRow
AddKey
MixColumn
8th round
9th round
MixColumn
ShiftRow
8. What’s wrong with single-fault DFA?
Fault model must be known
• Unknown byte hit?
8
Faults in same column are non-distinguishable
9. What’s wrong with single-fault DFA?
Fault model must be known
• Unknown byte hit?
blind byte hit multiplies search space by 4
• Unknown round hit?
blind round hit multiplies search space by 10
• Unknown operation hit?
9
void mix_column( unsigned char* column ) {
unsigned char a = column[0];
unsigned char b = column[1];
unsigned char c = column[2];
unsigned char d = column[3];
column[0] = mul2[ a ] ^ mul3[ b ] ^ c ^ d;
column[1] = mul2[ b ] ^ mul3[ c ] ^ d ^ a;
column[2] = mul2[ c ] ^ mul3[ d ] ^ a ^ b;
column[3] = mul2[ d ] ^ mul3[ a ] ^ b ^ c;
}
Alternative faults change effect
10. What’s wrong with single-fault DFA?
Fault model must be known
• Unknown byte hit?
blind byte hit multiplies search space by 4
• Unknown round hit?
blind round hit multiplies search space by 10
• Unknown operation hit?
out-of-model faults mess up the key search
Practice
• 32 bit AES brute force takes 20 minutes
• With unknowns this can grow to days
• Brute force key search impossible when input missing
• We hate waiting 10
11. Our approach
Experience
If a target is vulnerable to fault injection,
it’s relatively easy to collect multiple faults
Procedure
1. acquire outputs while injecting faults (almost a minute)
2. select faults that match the fault model (few ms)
3. use voting and exclusion to reduce key space
to 0..24 bits using 24..50 faults (few ms)
4. brute force to match input or fault model (few sec)
11
We replace single-fault DFA by single-minute DFA
13. 2. Fault selection
• Hit ‘Key addition’, ‘Substitute’, Shift row’, or ‘Mix column’
• Check that only 4 output bytes change
• Accept that some faults have alternative fault model
Usable
Too little
Too much
13
void mix_column( unsigned char* column ) {
unsigned char a = column[0];
unsigned char b = column[1];
unsigned char c = column[2];
unsigned char d = column[3];
column[0] = mul2[ a ] ^ mul3[ b ] ^ c ^ d;
column[1] = mul2[ b ] ^ mul3[ c ] ^ d ^ a;
column[2] = mul2[ c ] ^ mul3[ d ] ^ a ^ b;
column[3] = mul2[ d ] ^ mul3[ a ] ^ b ^ c;
}
14. 3. Key space reduction (one fault)
• 4 potential fault bytes per group
→ join possible key values
• Almost half of all key bytes match
• Frequency = probability
14
Fault in A Fault in B Fault in C Fault in D Fault in ANY
A E I M
B F J N
C G K O
D H L P
15. 3. Key space reduction (multi fault)
15
1 2 1+2 sum(8) sum(12)
1 2 1*2*(1+2) prodsum(4) prodsum(8)
Voting
Voting and Exclusion
Full key extraction takes 32 up to 50 unique faults
16. 4. Brute force
When to brute force?
• Verify correctness of candidates
• Only few faults available
• Can be efficient when 24 bits (or less) missing
• Too little variation in faults
How to brute force?
• Match keys with input/output
• Reverse last round and detect earlier faults
16
17. Conclusion
• Prior AES DFA work not practical due to
• Unknowns
• Out-of-model faults
• DFA practical when
• Fault selection on format
• Candidates selected by voting
• Practical DFA on AES can be fast
replace ‘single-fault’ by ‘single-minute’
• Remaining research questions
• Attack skipped rounds?
• Attack without duplicate plaintext?
17
18. Riscure North America
71 Stevenson Street, Suite 400
San Francisco, CA 94105
USA
Phone: +1 650 646 99 79
inforequest@riscure.com
Riscure B.V.
Frontier Building, Delftechpark 49
2628 XJ Delft
The Netherlands
Phone: +31 15 251 40 90
www.riscure.com
Contact: Marc Witteman
CTO